Go to main content

Transitioning From Oracle® Solaris 10 to Oracle Solaris 11.3

Exit Print View

Updated: December 2018

File and File System Security Changes

The following changes pertain to file and file system security.

aclmode Property Reintroduced

The aclmode property that determines how the ACL permissions on a file are modified during a chmod operation is reintroduced in this release. The aclmode values are discard, mask, and passthrough. The discard default value is the most restrictive, and the passthrough value is the least restrictive.

immutable, nounlink, and appendonly Attributes

For information about how to protect files and zones by using these attributes, see Examples of Setting Security-Relevant Attributes on ZFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.3.

Encrypting ZFS File Systems

In previous Oracle Solaris releases and in this release, the Cryptographic Framework feature provides the encrypt, decrypt, and mac commands to encrypt files.

    Oracle Solaris 10 does not support ZFS encryption. However, Oracle Solaris 11 supports the following ZFS encryption features:

  • ZFS encryption is integrated with the ZFS command set. Like other ZFS operations, key change and rekey operations are performed online.

  • You can use your existing storage pools as long as they are upgraded. You have the flexibility of encrypting specific file systems.

  • ZFS encryption is inheritable to descendent file systems. Key management can be delegated through ZFS delegated administration.

  • Data is encrypted by using AES (Advanced Encryption Standard) with key lengths of 128, 192, and 256 in the CCM and GCM operation modes.

  • ZFS encryption uses the Cryptographic Framework feature, which gives it access to any available hardware acceleration or optimized software implementations of the encryption algorithms automatically.

Note - Currently, you cannot encrypt a ZFS root file system or other OS components, such as the /var directory, even if it is a separate file system.

See Encrypting ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.3.

Immutable Zones

The file-mac-profile property enables you to run zones with a read-only root file system. This feature enables you to choose between four predefined profiles that determine how much of a zone file system is read-only only, even for processes that have allzone privileges. See Chapter 11, Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones.